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(g) Method for providing variable authority level user access control in a distributed data processing 
system. 

@ The method of the present Invention may be 
utilized to provide variable authority level user 
access control for a plurality of resource 
objects within a distributed data processing 
system having a plurality of resource managers. 
A reference monitor service is established and a 
plurality of access control profiles are stored 
therein, each including an Identification of a 
selected user and a specified level of authority 
associated with that selected user. Thereafter, 
selected access control profiles are exchanged 
between the reference monitor service and a 
resource manager in response to an attempted 
access of a particular resource object control- 
led by that resource manager. The resource 
manager may then control access to the resour- 
ce object by utilizing the exchanged access 
control profile to determine the extent access is 
permitted by means of the specified level of 
authority contained therein. In a preferred 
embodiment of the present invention, the ac- 
cess intent of a selected user Is determined in 
conjunction with an attempted access of a par- 
ticular resource object and stored. Thereafter, a 
comparison of the stated access intent with the 
specified level of authority contained within the 
access control profile may be utBized to grant 
or deny access. 
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METHOD FOR PROVIDING VARIABLE AUTHORITY LEVEL USER ACCESS CONTROL IN A 
DISTRIBUTED DATA PROCESSING SYSTEM 



BACKGROUND OF THE INVENTION 

Technical Field 

The present invention relates to data processing 
systems in general and in particular to improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system. Still more particularly, the present invention 
relates to a system which permits variable authority 
level access control throughout a distributed data pro- 
cessing system. 

Description of the Related Art 

Security and access control systems in computer 
based data processing systems are well known in the 
prior art Existing access control systems are gener- 
ally oriented to a single host system. Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each 
application must generally provide access control for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF, or Resource Assets Control Facility. 
RACF offers access control for applications, such as 
files or CICS transactions and is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF is a "password" oriented access control system 
and access is granted or denied based upon a user's 
individual identity and his or her knowledge of an 
appropriate password to verify that identity. The 
RACF system is, however, oriented to a single host 
system and cannot be employed in a distributed data 
processing system which employs multiple hosts 
associated with separate groups of resource objects, 
due to the fact that this system does not allow the 
interchange of access control information from one 
host to another. Further, the RACF system does not 
permit a user to access a resource object at one of a 
plurality of authority levels. That is, for example, it may 
desired to permit a user to read a particular resource 
object, but not alter that object 

Another example of known access control sys- 
tems is AS/400. The AS/400 system is a capability 
based system in which security is based upon each 
individual resource object Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 
tem maintains security by keeping User Profiles, 
Object Authority, and System Values within the 
architecture of the machine itself. As above, this sys- 



tem is highly efficient at controlling access to resource 
objects controlled by a single host; however, access 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 

5 be controlled. That is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host As above, the AS/400 sys- 
tem does not permit the system controller to vary the 
level of authority enjoyed by a particular user with res- 

10 pect to a selected resource object 

One other example of an access control system 
is the DB2 product This product permits a more flexi- 
ble access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 

15 tern may utilize special authorities for administration 
or database operations. Further, access privilege may 
be bundled into a specified authority or role so that a 
user may access specific resource objects based 
upon the user's title or authority level, rather than the 

20 user's personal identity. However, as above, the DB2 
system does not possess the capability of exchanging 
access control information with non-DB2 applications. 

Therefore, it should be obvious that a need exists 
for a method of providing variable authority level user 

25 access control in a distributed data processing sys- 
tem whereby access to selected resource objects 
may be controlled throughout the distributed data pro- 
cessing system by specifying the level of authority 
associated with a specific user for a selected resource 

30 object and then only permitting access to that 
resource object to the extent previously specified. 

SUMMARY OF THE INVENTION 

35 It is therefore one object of the present invention 
to provide an improved data processing system. 

It is another object of the present invention to pro- 
vide an improved method of providing access control 
for a plurality of resource objects within a distributed 

40 data processing system. 

It is yet another object of the present invention to 
provide an improved method of providing access con- 
trol for a plurality of resource objects within a distri- 
buted data processing system which permits a 

45 variable level of authority to be specified for each user 
within a distributed data processing system, with 
regard to specific resource objects. 

The foregoing objects are achieved as is now 
described. The method of the present invention may 

so be utilized to provide variable authority level user 
access control for a plurality of resource objects within 
a distributed data processing system having a 
plurality of resource managers. A reference monitor 
service is established and a plurality of access control 
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profiles are stored therein, each including an identifi- 
cation of a selected user and a specified level of 
authority associated with that selected user. Thereaf- 
ter, selected access control profiles are exchanged 
between the reference monitor service and a resource 
manager in response to an attempted access of a par- 
ticular resource object controlled by that resource 
manager. The resource manager may then control 
access to the resource object by utilizing the 
exchanged access control profile to determine the 
extent access is permitted by means of the specified 
level of authority contained therein. In a preferred 
embodiment of the present invention, the access 
intent of a selected user is determined in conjunction 
with an attempted access of a particular resource 
object and stored. Thereafter, a comparison of the 
stated access intent with the specified level of 
authority contained within the access control profile 
may be utilized to grant or deny access. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The novel features believed characteristic of the 
invention are set forth in the appended claims. The 
invention itself however, as well as a preferred mode 
of use, further objects and advantages thereof, will 
best be understood by reference to the following 
detailed description of an illustrative embodiment 
when read in conjunction with the accompanying 
drawings, wherein: 

Figure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to implement the method of the present 
invention; 

Figure 2 depicts in block diagram form the access 
control system utilized with the method of the pre- 
sent invention; 

Figure 3 is a high level flow chart depicting the 
establishment of a variable authority level user 
access control system in accordance with the 
method of the present invention; and 
Figure 4 is a high level flow chart depicting vari- 
able authority level access to a resource object In 
accordance with the method of the present inven- 
tion. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

With reference now to the figures, and in particu- 
lar with reference to Figure 1, there is depicted a pic- 
torial representation of a data processing system 8 
which may be utilized to implement the method of the 
present invention. As may be seen, data processing 
system 8 may include a plurality of networks, such as 
Local Area Networks (LAN) 10 and 32, each of which 
preferably includes a plurality of individual computers 
12 and 30, respectively. Of course, those skilled in the 



art will appreciate that a plurality of Interactive Work 
Stations (IWS) coupled to a host processor may be 
utilized for each such network. 

As Is common in such data processing systems, 

5 each individual computer may be coupled to a storage 
device 14 and/or a printer/output device 16. One or 
more such storage devices 14 may be utilized, in 
accordance with the method of the present invention, 
to store applications or resource objects which may 

10 be periodically accessed by any user within data pro- 
cessing system 8. In a manner well known in the prior 
art, each such application or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 

15 ing and updating all resource objects associated 
therewith. 

Still referring to Figure 1 , it may be seen that data 
processing network 8 may also include multiple main 
frame computers, such as main frame computer 18, 

20 which may be preferably coupled to Local Area Net- 
work (LAN) 10 by means of communications link 22. 
Main frame computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Network (LAN) 10 . Similarly, Local 

25 Area Network (LAN) 1 0 may be coupled via communi- 
cations link 24 through a subsystem control 
unit/communications controller 26 and communi- 
cations link 34 to a gateway server 28. Gateway ser- 
ver 28 is preferably an individual computer or 

30 Interactive Work Station (IWS) which serves to link 
Local Area Network (LAN) 32 to Local Area Network 
(LAN) 10. 

As discussed above with respect to Local Area 
Network (LAN) 32 and Local Area Network (LAN) 10, 

35 resource objects may be stored within storage device 
20 and controlled by main frame computer 18, as 
resource manager for the resource objects thus 
stored. Of course, those skilled in the art will 
appreciate that main frame computer 18 may be 

40 located a great geographic distance from Local Area 
Network (LAN) 10 and similarly Local Area Network 
(LAN) 10 may be located a substantial distance from 
Local Area Network (LAN) 32. That is. Local Area Net- 
work (LAN) 32 may be located in California while 

45 Local Area Network (LAN) 10 may be located within 
Texas and main frame computer 18 may be located 
in New York. 

In known prior art systems of this type, should the 
user of an individual computer 30 desire to access a 

so resource object stored within storage device 20, 
associated with main frame computer 18, it will be 
necessary for the user of computer 30 to be enrolled 
within the security system of main frame computer 1 8. 
This is necessary in order for the user of computer 30 

55 to present the proper password to obtain access to the 
desired resource object Of course, those skilled in 
the art will appreciate that this technique will prove 
ungainly in distributed data processing systems, such 
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as data processing system 8 depicted within Figure 1 . 

Referring now to Figure 2, there is depicted in 
block diagram form the access control system which 
is utilized with the method of the present invention. As 
is depicted, Local Area Networks (LAN) 1 0 and 32 are 5 
illustrated by dashed lines as is main frame computer 
18. In each instance resource objects 42, 48 and 54 
are illustrated in association with each portion of dis- 
tributed data processing system 8 of Figure 1. Of 
course, each object thus illustrated will be stored 10 
within one or more storage devices associated with 
each portion of data processing system 8. As is illus- 
trated, Local Area Network 10 includes a resource 
manager 40 which may be one or more individual 
computers which are utilized to manage selected 15 
resource objects. Also established within Local Area 
Network 10 is a Reference Monitor 44. Reference 
Monitor 44, in accordance with the method of the pre- 
sent invention, is an application or service which is 
utilized to store access control profiles which may 20 
include access control information relating to: selec- 
ted users; selected levels of authority associated with 
selected users; selected resource objects; a selected 
group of users; a selected set of resource objects; or, 
a predetermined set of resource objects and a selec- 25 
ted list of users, each authorized to access at least a 
portion of said predetermined set of resource objects. 

Still referring to Figure 2, it may be seen that 
within Local Area Network (LAN) 33 a resource man- 
ager 46 is illustrated, which is utilized, in a manner 30 
well known in the art, to control access to resource 
object 48. Similarly, a Reference Monitor 50 is 
established within Local Area Network (LAN) 32. 
Reference Monitor 50 is, as described above, prefer- 
ably utilized to store access control profiles relating to 35 
individual users within Local Area Network 32 as well 
as resource objects stored within Local Area Network 
32. 

Finally, main frame computer 18 is illustrated as 
including a resource manager 52 which has 40 
associated therewith one or more resource objects 
54. 

In accordance with an important feature of the 
present invention, any attempted access of a 
resource object, such as resource object 42, 48 or 54 45 
will automatically result in a query by the associated 
resource manager to one or more Reference Monitor 
applications to determine whether or not the access 
requested will be permitted. It should be noted that, in 
accordance with the depicted embodiment of the pre- 50 
sent invention, only one Reference Monitor appli- 
cation is required for data processing system 8; 
however, two are illustrated. In accordance with the 
method of the present invention, communications 
links between a single Reference Monitor application 55 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1) so that access to selected resource objects may be 



controlled in accordance with the access control infor- 
mation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within Figure 1, request access to a resource object 
54 associated with main frame computer 1 8. As will be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so, the 
profile information is exchanged between the approp- 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be permitted. 

With reference now to Figure 3, there is depicted 
a high level flow chart depicting the establishment of 
a variable authority level access control system In 
accordance wit the method of the present invention. 
As is illustrated, the process begins at block 60 and 
thereafter passes to block 62, which depicts the defi- 
ning of an access control profile for an object or group 
of objects, by the associated resource manager. As is 
illustrated, the resource manager may define one or 
more selected users, one or more particular resource 
objects, and the authority level which each user may 
have with respect to a selected object 

By authority level what is meant is whether or not 
the particular user in question has authority to alter 
the resource object in question, read the resource 
object in question, take any action with respect to the 
resource object or no action with respect to the 
resource object Thereafter, block 64 illustrates the 
storing of that profile within a Reference Monitor appli- 
cation. 

Next block 66 illustrates a determination of 
whether or not additional profiles are to be established 
and if so, the process returns to block 62 and con- 
tinues thereafter in an iterative fashion. In the event 
no additional profiles are to be created, the process 
passes to block 66 and terminates. 

Finally, referring to Figure 4, there is depicted a 
high level flow chart depicting access to a resource 
object in accordance with the method of the present 
invention. As is illustrated, the process begins at block 
70 and thereafter passes to block 72 which illustrates 
the receipt by a resource manager of an access 
request for a resource object within that resource 
manager's purview. Next the process passes to block 
74 which illustrates a query by the resource manager 
to that user to determine the access intent of the user 
with regard to the resource object in question. As 
utilized herein, the phrase 'access intent" shall mean 
a determination of whether or not the user desires to 
take any of the following actions with regard to a 
selected resource object view, update, delete object 
grant access, create relationships, or, delete relation- 
ships. Of course, this list is not meant to be all-inclu- 
sive or limiting in nature. 
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Next, block 76 illustrates a query by the resource 
manager to one or more Reference Monitor appli- 
cations which may exist within the distributed data 
processing system to determine whether or not an 
access control profile exists for the resource object or s 
user in question. Block 78 then illustrates the logging 
of this access attempt at the Reference Monitor appli- 
cation. Such logging shall preferably include the stor- 
age of an identification of the particular user, the 
selected resource object and the stated intent of the 1 o 
user with regard to that particular resource object 
Next, block 80 depicts the retrieval of the appropriate 
access control proffle for the particular user or object 
in question. Block 82 then illustrates a determination 
of whether or not access to the selected resource is 
object is permitted, in accordance with the information 
contained within the retrieved profile. 

In the event access to the resource object in 
question is not permitted, as determined by the 
access control profile thus retrieved, block 84 illus- 20 
trates the denial of access to the requested resource 
object by means of an appropriate message to the 
requester. 

In the event access to the resource object in 
question is to be permitted, as determined in block 82, 25 
then block 86 illustrates a determination of whether or 
not the access control profile indicates the user in 
question has a sufficient authority level for the access 
intent which has been entered. If not, block 84 once 
again illustrates the dental of access to the requested 30 
resource object with an appropriate message to the 
requester. Of course, those skilled in the art will 
appreciate that where access has been denied due to 
insufficient authority level, a message may be dis- 
played to the requester indicating that the access 35 
intent entered exceeds his or her authority level for the 
resource object in question. Thereafter, a different 
access intent may be entered by the requester. 

Finally, in the event the authority level contained 
within the access control profile for a particular user 40 
and a selected resource object is sufficient for the 
access intent entered by the user, as determined in 
block 86, then block 88 illustrates the accessing of the 
object in question. Thereafter, the process termi- 
nates, as illustrated in block 90. 45 

Upon reference to the foregoing, those skilled in 
the art will appreciate that by utilizing a plurality of 
access control profiles stored within a reference moni- 
tor service, in accordance with the method of the pre- 
sent invention, it will be possible to define multiple so 
levels of authority which may exist for each user 
authorized to access a particular resource object. For 
example, a group of users may be authorized to 
access a particular object only to view that object and 
not to update, delete, or modify that object Further, 55 
other selected users may have full authority to modify 
or delete the resource object as they desire. By utili- 
zing the method of the present invention, it will be 



possible to restrict the authority with which each user 
within the system may enjoy with respect to a particu- 
lar resource object so that access to those resource 
objects may not include a concomitant ability to alter 
or delete the resource object in question. In this man- 
ner, information may be more widely disseminated 
while protecting the integrity of the resource objects 
containing such information. 

While the invention has been particularly shown 
and described with reference to a preferred embodi- 
ment it will be understood by those skilled in the art 
that various changes in form and detail may be made 
therein without departing from the spirit and scope of 
the invention. 



Claims 

1. A method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem having a plurality of resource managers 
associated with said plurality of resource objects, 
said method comprising the steps of: 

storing within a reference monitor service 
a plurality of access control profiles, each includ- 
ing an identification of a selected user and a 
specified level of authority associated with said 
selected user; 

exchanging a selected access control pro- 
file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object 
by a selected user; and 

utilizing said resource manager to control 
access to said particular resource object by said 
selected user, to the extent permitted by said 
specified level of authority. 

2. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 1 wherein said plurality of 
access control profiles each includes an identifi- 
cation of a selected resource object 

3. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 1 wherein selected ones 
of said plurality of access control profiles include 
an identification of a selected group of users and 
a specified level of authority associated with each 
of said selected group of users. 

4. A method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
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tern having a plurality of resource managers 
associated with said plurality of resource objects, 
said method comprising the steps of: 

storing within a reference monitor service 
a plurality of access control profiles, each includ- 5 
ing an identification of a selected user and a 
specified level of authority associated with said 
selected user; 

exchanging a selected access control pro- 
file between said reference monitor service and a 10 
selected resource manager in response to an 
attempted access of a particular resource object 
by a selected user; 

determining the access intent of said 
selected user, and 15 

utilizing said resource manager to control 
access to said particular resource object by said 
selected user by comparison of said access intent 
with said specified level of authority. 

20 

5. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said plurality of 
access control profiles each includes an identifi- 25 
cation of a selected resource object 

6. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 30 
tern according to Claim 4 wherein selected ones 

of said plurality of access control profiles include 
an identification of a selected group of users and 
a specified level of authority associated with each 
of said selected group of users. 35 



user to input said access intent in conjunction 
with an attempted access of a particular resource 
object 



7. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said specified 40 
level of authority associated with said selected 
user indudes an indication of whether said selec- 
ted user may alter said particular resource object. 



8. The method of providing variable authority level 45 
user access control for a plurality of resource 
objects within a distributed data processing sys- 
tem according to Claim 4 wherein said specified 
level of authority associated with said selected 
user includes an indication of whether said selec- 50 
ted user may view said particular resource object 



9. The method of providing variable authority level 
user access control for a plurality of resource 
objects within a distributed data processing sys- 55 
tern according to Claim 4 wherein said step of 
determining the access intent of said selected 
user comprises the step of requiring said selected 
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